Investors risk losing assets from increased cyber attacks on financial advisors and broker-dealers, the Securities and Exchange Commission warned today.
The increase is coming in a form of hacking called “credential stuffing” which the SEC said is emerging as a more effective way for attackers to gain unauthorized access to customer accounts and/or firm systems than traditional brute force password attacks.
Credential stuffing is an automated hack on web-based user accounts and direct network login account credentials to obtain lists of usernames, email addresses, and corresponding passwords from the dark web. The cyber attacker proceeds to try the compromised usernames and passwords on other websites in an attempt to log in and gain unauthorized access to customer accounts.
When a credential stuffing attack is successful, bad actors can use the access to the customer accounts to gain access to firms’ systems, where they are able to steal assets from customer accounts, access confidential customer information and obtain login credential/website information, the SEC explained.
The crooks can then can sell the information to other bad actors on the dark web, gain access to network and system resources, or monitor and/or take over a customer’s or staff member’s account for other purposes, the risk alert cautioned.
As safeguards against credential stuffing, the SEC urged firms and investors to use the proper cyber hygiene they have been told to use many times for years: frequently changed, hard-to-guess passwords and multi-factor authentication.
Multi-factor authentication is when more than one way (such as a password) is required to verify an account, the more factors, the more secure an account is from hackers.
However, the alert spotlights not-often-told precautions that should be taken with multi-factor.
Mobile phone text messages are often used as a verification method for MFA but it’s not foolproof.
Investors and their financial advisors and broker-dealers should be alert to instances where their mobile devices no longer work, as someone may have attempted fraudulently to transfer their phone number to another device, the SEC recommended.